Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

click2005 notes an article in The Register calling into question the one piece of hard evidence that has been put forward to pin the Google cyberattacks on China. It was claimed that a CRC algorithm found in the Aurora attack code was particular to Chinese-language developers. Now evidence emerges that this algorithm has been widely known for years and used in English-language books and websites. Wired has a post introducing the Pentagon's recently initiated effort to identify the "digital DNA" of hackers and/or their tools; this program is part of a wide-ranging effort by the US government to find useful means of deterring cyberattacks. This latter NY Times article notes that Google may have found the best deterrence so far — the threat to withdraw its services from the Chinese market.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.

Emphasis mine. Nowhere is he talking about a CRC algorithm or even fingerprinting the attack to a particular country. Instead, the obvious question is simply this: Who else would hack one of the most successful companies in the world only to read the e-mails of Human Rights Activists in China? What possible gain could anyone else have from this information?

I'm not saying hard evidence has been provided one way or the other (I'm not even sure it could be proven one way or the other unless someone claims ownership) but the only evidence the accuser offered up was this. Not that the "algorithm was only known to Chinese" nor anything as simpleton.

Who else would hack one of the most successful companies in the world only to read the e-mails of Human Rights Activists in China? What possible gain could anyone else have from this information?...Someone who is trying to discredit China?...Someone trying to say that someone is trying to discredit China?

To my knowledge, there are only two groups of people that follow Chinese human rights activists; The Chinese,(for tank tread inspections), and the Activist's Moms. I didn't know that Mom's had such a in depth awareness of Cyber Attacking. Go figure.

Someone who is trying to discredit China?
China does a good job of discrediting itself. Deny and 'don't answer the question'
Someone trying to say that someone is trying to discredit China?
Well that would be you then. Are you admitting something?

Which brings us to the second-most likely suspect: one of Google's competitors in China. Think about it for a moment:

If they successfully hack the servers, they give the info to the Chinese government and Google gets blamed for revealing data even if they didn't. The American public gets mad at Google, who loses market share. The dissidents hear about it through the underground and realize that Google is insecure and they lose more market share.

If they get caught, everyone blames the Chinese government, Google has a hissy fit and pulls out of China and loses all its market share.

Or someone wanting to collect information that they might be able to sell to an operative working on behalf of the Chinese government/police. The right data can be very valuable if you can contact the right people to sell it to...

Google doesn't have to prove things beyond a reasonable doubt. More to the point they don't have to prove it beyond any and all doubt no matter what, which is the standard many geeks seem to use. Internally, they only have to prove it to their own satisfaction, which it would seem they've done.

Yeah because people never hide things and lie to push their own agendas.

Gmail accounts of Chinese human rights activists.

If I were the US government, these are the kinds of accounts I would access to test cyber warfare tools.Like you aren't saying it was China, I'm not saying the US government was behind it but just that the evidenceseems circumstantial and very convenient. The evidence was also circumstantial and very convenient when usedas justification to invade Iraq.

Yes it would be an odd move as it could put themselves and their friends in quite a bit of danger, but it could also be high reward, if other countries fall for it and do something about it (if they could)

I know it's bad to think about the victim as possible being the one who set things up, but from time to time we need to at least explore the idea, or you will get played repeatedly.

Also, it's hard to see the payoff. Even with censorship, Google in China seems to be more independent than Baidu, so it's hard to see how Human Rights groups would benefit by driving Google out of China.

It requires someone with enough confidence and resources to attack about twenty US companies for months.
It requires someone to anticipate the unusual move of Google on this attack.
It requires someone confident enough to operate from China and escape the Chinese government's scrutiny, even after their operations have been revealed. I think that makes a lot of hypothesis.

The Chinese government has spent hundreds of millions training a "cyber-army". Maybe they have spent so much in that toy that they are flexing their muscles a bit ? It is not that long ago that experts were warning about the hacking capabilities of China [timesonline.co.uk]

The finger certainly points in the direction of the chinese. HOWEVER, It could just as easily be the US, the chinese rights groups or any other group looking to discredit china. Without proof all you have is likely suspects and given we are supposed to believe in freedoms such as "innocent until proven guilty", what does that make us if we act the way we "think" they themselves are acting.

The finger certainly points in the direction of the chinese. HOWEVER, It could just as easily be the US, the chinese rights groups or any other group looking to discredit china.

Google "Tiananmen Square Massacre" or "Tibet". Seems to me that those activists don't have to
manufacture any proof.

there is plenty of proof, however what there isn't is plenty of world support for them. Like it or not this attack could have easily originated from any number of foreign governments or rights groups, however the most likely suspect is still the chinese government.

You are assuming that the only party interested in following or harassing the human rights activists are the Chinese government. It's not hard to think up *other* persons or groups that might be interested. Judging from the ultra nationalist kooks we have, we can imagine private nutcases who think of themselves as more patriotic than the government, who think the Party is much too wishy washy on the issues of class traitors and much too interested in appeasing the West.

That's just the second most likely scenario. Other, more exotic scenarios are possible as well. In a world with so many people connected to the Internet, virtually every kind of crackpot you can imagine is out there. All it takes is one with an Internet feed.

I think we have a preponderance of evidence situation here. On the whole, the most likely culprit is the Chinese government. But it's not quite to the "beyond a reasonable doubt" stage. You look at the whole web of evidence: the motivations, track record of past behavior, known propensities to industrial espionage, methods used, means and opportunity. Virtually every single datum is likely to have an innocuous explanation. It's the overall picture that convicts.

I agree with you, but I'd like to point out that that is not proof at all. When making accusations that can damage the relations of the two largest economies in the World, we should be damn sure of what we are doing. Google seems to be, but they also have more information than the rest of us. We are speculating.

In this case, I am still troubled by the apparent incompetence of the Chinese Government. Why did they think they could do this and get away with it? Didn't they realize that it could damage importan

Emphasis mine. Nowhere is he talking about a CRC algorithm or even fingerprinting the attack to a particular country. Instead, the obvious question is simply this: Who else would hack one of the most successful companies in the world only to read the e-mails of Human Rights Activists in China? What possible gain could anyone else have from this information?

There seems to be the general point of view the Google discovered what was happening and investigated on their own rather than enlist the State Dept. and their help from the beginning to use Google's network to observe, create honey pots and collect further data.

Perhaps they seeded the compromised accounts with information provided by the State Dept. to see who acted on that information and it turned out to be the Chinese Government?

*shrug* A loyal PRC citizen wanting to do the "right thing" or someone who'd like to sell the information for money to the Chinese government or someone else who might need leverage in negotiation with the Chinese government.

You think it's more likely that a CEO made a moral choice? Don't make me laugh. If morals had anything to do with it, they would never have gotten into China in the first place. It's not like Tiananmen Square hadn't happened yet....

No, I strongly suspect it's more like "Betraying the trust of other people is okay as long as you don't betray mine." And odds are, in a few months, this will all be forgotten and it will be back to business as usual, censorship, spying, and all. I'd love to be wrong about my cynicism, but it happens so rarely these days....

This CRC-16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, "crc_ta[16]". At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese:

Oh. My. God. I justreran the search [google.com] and it's changed. The top results are in English! It's the British that are attacking Google! Wait, one of the links is to a Blogspot site. Sweet Jesus, the attacks are coming from inside Google's own employee base! But wait, if you click crc_ta[16] [slashdot.org] enough times then Slashdot will show up in the list. Meaning Slashdot is the attacker on Google!

Oh Great Britain, Slashdot and even Google themselves, why have you forsaken us?

Google's pageranking engine returns a good enough set of available crawable webpages. It does not indicate guilt or scan all of human knowledge. Using it as any sort of evidence in a huge international scandal is less than prudent.

So based on the name of a variable the attack is from a certain geographic location?

The 'who else but the Chinese Government would want access to human rights activist accounts' argument is a little thin. So suddenly if anyone's account gets hacked, we can just immediately assume it's a group that opposes them and then pull our business out of an entire market?

Oh. My. God. I just reran the search and it's changed. The top results are in English! It's the British that are attacking Google! Wait, one of the links is to a Blogspot site. Sweet Jesus, the attacks are coming from inside Google's own employee base! But wait, if you click crc_ta[16] enough times then Slashdot will show up in the list. Meaning Slashdot is the attacker on Google!

Actually, your link likely won't substantially alter the rankings of Slashdot when you search for that term. The repetition of the term in this thread will do so, but your title likely not do so since all links in comments in slashdot automatically get nofollow tags. That means that search engines give the links little to no weight. This is a common tactic to reduce the incentive of spammers to spam links.

We were using and describing digital DNA in the mid to late 80s although the terminology used was slightly different as we/stole/ the term FIST from ham radio to use for it. it's actually an interesting technique although we weren't that sophisticated as we only looked at command streams and lingustics to identify country of origin and style of attack and group M.O. rather than pin pointing the actual attacker.
It was actually used successfully in a few virus and trojan incidents and I stil have at least a partial copy of the NARK database I collated at the time.

Evidence weakens that Joe Stewart's analysis shows that the CRC algorithm used in the attack was developed by Chinese programmers.

As other folks have pointed out, this is NOT the basis of Google's or others' assessments that the attacks originated from within mainland China, and in no way does it weaken the evidence regarding the origin of the attack.

I agree. Right now I'm training an army of American hackers that are going to roll over China. Check out this video [youtube.com] of my protege at work. That madd h4xx iz a freebie for you, the more advanced stuff (like photoshopping a cat's head onto a dog's body) will cost ya. USA #1 baby.

I agree. Right now I'm training an army of American hackers that are going to roll over China. Check out this video [youtube.com] of my protege at work. That madd h4xx iz a freebie for you, the more advanced stuff (like photoshopping a cat's head onto a dog's body) will cost ya. USA #1 baby.

While you are at it, you should try to implement The Daemon [thedaemon.com].;-)

I'd like to point out that this is not true if you really look at things objectively. The reason that this perception exists is the "Made in China" branding that they slap on everything. Of course, many cheap things have their final assembly occurring in China. However, if you were to break down the item's manufacture on a value-added basis, you would hardly that it was primarily made in China. More to the point, all of the really expensive things we buy (houses, cars) or the things we buy a lot of (foo

So what's stopping us? Simple. The manufacturing capacity exists in China and they are willing to look the other way and ignore environmental laws. Oh, and don't forget that a significant percentage of the parts are also manufactured there. The cost of manufacturing finished goods anywhere else is significantly higher because you first have to import the parts and China has tariffs that deliberately make it more expensive for unfinished goods to leave the country.

As someone who has been reverse engineering quite a bit of software recently, I can tell you that the assembly code from the attack and the Chinese version of the algorithm match completely. In other words, the output looks like exactly what an (optimizing) compiler would've produced given that source code. Note the operations performed inside the loop and the use of stack allocation for the table (and therefore the required initialization every time the function is called).

As far as I can see, none of the English versions are similar. Sure, they implement the same algorithm, but the chinese implementation matches the attack code, not just the algorithm,

To add to this:
the analysis on the original "research blog" was also more specific than the register article.
He said:

By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input

The Register people seem to have accepted similarity in code, without going to the trouble of
checking the outputs.

Of course would you want to bet that even if it matched another implementation that it wasn't a Chinese programmer?The first deep programing book I ever read was Data Structures + algorithms = Programs. It has influenced my code style just as the fact that my first programing teacher was an old Fortran programmer. Yes I often use i for for loops to this day even though I know it is now considered bad form.So if I wrote an attack would would we say it couldn't have come from the US because some of the algo

Of course would you want to bet that even if it matched another implementation that it wasn't a Chinese programmer?

You seem unclear on the purpose of evidence. Its purpose is to distinguish between hypotheses. There are two hypotheses here. 1) Some hacker based in China did the hacking. 2) The first hypothesis is not true (the "null hypothesis"). An implementation that everyone knew about and anyone could have used doesn't distinguish between hypotheses #1 and #2. Hence, it cannot be evidence for hypothesis #1. An obscure implementation that has only been seen in China, favors hypothesis #1.

I do see the difference.The thing is that even if the implementation is most commonly seen in China that is also evidence. And as the grandparent post pointed out the implementation does exactly match the implementation as often taught in china.My point is that with the mobility of knowledge we have today that a match or that implementation being documented else where isn't definitive one way or the other.

I do agree. What I was saying that just because that implementation was documented outside China it doesn't in any way decrease the probability that it was done by China.Or if they had used an implementation that was never documented in China.The targets are the big evidence in my book.What I find somewhat interesting is that they used a CRC implementation as the "fingerprint".Who writes their own CRC code anymore? I mean not since college have I written a CRC function. There are a million of them available

Knowledge is mobile. However the biggest barriers it meets today are those of language. This isn't a smoking gun (enough other posts point out to the IPs of the control servers and the fact that targeting human rights activists in China benefits no one else) but a clue that everything looks like it is of Chinese origin.

My point is that with the mobility of knowledge we have today that a match or that implementation being documented else where isn't definitive one way or the other.

What does "definitive" have to do with it? They have motive, opportunity, and evidence pointing at them. That's not "definitive" but good enough. You don't prove "beyond a shadow of a doubt" but "beyond a reasonable doubt." Simply put, unless there's anyone else likely to do it, the obvious person did it. No one has suggested anyone else cr

Please stop finding and posting evidence contrary to my preconceived notions! Enough already. As it is I am trying to contain my cognitive dissonance and I can do without all these pesky counter evidence, thank you. Next you will ask me to believe that Microsoft is not 100% evil and Apple is not 100% cool and Google is not 100% non-Evil (tm).

I suppose you'd argue in favor of holding the phone company responsible if you received a harassing phone call as well? You're right, that is a bit of a stretch.

My point was that it's really easy to mask where you're coming from by bouncing through legitimate services provided by companies all over the world (who I'm sure would be quite reluctant to release their logfiles just because you asked for them really nicely). Looking at/var/log/secure will only catch the most amateur of 'hackers'. The topic at hand is what else one can do to determine who's ultimately behind it.

Set aside the industrial espionage charges. Who benefits from the hacking of the activists' and journalists' accounts? The PRC and its enemies. The usual suspects like the Russian mob, Nigerians, etc. have little, if anything, to gain from this and certainly not enough to offset the harm that could happen if a company with Google's expertise brought scrutiny to them.

Do you recall how unfair you thought it was when your third-grade teacher punished the entire class for the misbehavior of one student because she couldn't identify the perpetrator? That's exactly what Google is doing. It's not "deterrence" at all. At best it's indirect deterrence, since it doesn't affect hackers directly; what it affects is the entire Chinese "class" by withdrawing from its network and e-economy, hurting or diminishing the many in an attempt to change the behavior of just a few.

Well... since SOME people claim that communism is economic entropy, then by extension you're saying that it's a basic principle of entropy, and that the entire universe has to share the risk because of the few?

Except that the scale of the attacks, the targets of the attacks, and the fact that they went on in a country that is fanatical about monitoring internet use, strongly suggests that the Chinese government either conducted or encouraged the attack. So it is reasonable for Google to hold the Chinese government responsible. Clearly Google's view is, "We try to cooperate with your unreasonable censorship rules, we expect you not to try to crack into our systems. You didn't hold up your end of the bargain, so the deal is off. If you don't like it, we'll take our ball and go home."

That description and justification is only true IFF the Chinese government was responsible or holding the purse strings. TFS and TFA suggest that this is perhaps not the case after all.

Google is perhaps justified in taking SOME kind of knee-jerk action to protect itself, temporarily at least, in the absence of knowing the real cause or source, but what's your justification? You have nothing to protect, do you? Are you protecting a blind faith in Google and by extension the rightness of its actions?

Google is perhaps justified in taking SOME kind of knee-jerk action to protect itself, temporarily at least, in the absence of knowing the real cause or source, but what's your justification? You have nothing to protect, do you? Are you protecting a blind faith in Google and by extension the rightness of its actions?

That's an odd question. Are you asserting that nobody should have opinions on topics such as political censorship, human rights, or the relationships between information-based corporations and

If you want to know if the hacks were done with Chinese government approval, watch and see who they put to death for it. As with the contaminated baby formula, China has a strong tradition of swift trials and swifter executions for those citizens who through unauthorized behavior embarrass them on the world stage. Strong enough that it makes them rather transparent when denying something they actually did do.

We could do the same thing here too, if it weren't for that pesky "constitution" thing!

Actually, I kinda like the Chinese use of the death sentence for life-threatening corruption. Unfortunately, in this case the misbehavior doesn't appear to be life threatening. (Unless you're one of the human rights activists hacked, and you accidentally said something counter to the interests of the Chinese government on the foolish assumption that your private emails were, in fact, private. In that case, then certainl

When i saw the 1st google complaint, i tought that was weird that for one side you have high tech attacks (i.e. the one to steal IP from google, hacking into inside computers using IE6/flash/acrobat/whatever vulnerabilities) and the other was somewhat low tech, social engineering or just shopping into black market to infiltrate into the mail accounts of human rights advocates in China.

If you put both together, assuming that have the same source, could point to someone big enough to be backed by China gove

If when you say "China was responsible for the attacks" you are referring to the Chinese Government or persons acting at the direction or in the employ of the Chinese Government, I'd agree that's probably not the case. On the other hand if you are referring to persons based in China acting of their own volition in an attempt to show patriotism for their country possibly in return or with the expectation of favors from those in power then I think we can safely say "Yeah, that's them." It is all very conven

I'm surprised that people aren't reaching for the most obvious explanation for this announcement of newly-weakened evidence. Isn't it obvious that it's a part of a deal that Google cut with China, in which it was agreed that tensions will be de-escalated in public?

Google is saying the equivalent of "Oh, did I call your mama a whore in front of the whole world? No, no, of course not! I was saying she was a HORRibly nice woman, but my phone was cutting out! I would never accuse your mama of pulling tricks for

I don't like China, and I think their government is insanely authoritarian. From Green Dam to pulling Avatar out of theaters to having no health standards on the toys they produce is only the beginning. I've heard so many bad things about the Chinese government I wouldn't even know where to begin. But it doesn't take a genius to realize China is NOT behind these attacks.

Let's look at the facts. First Google releases a statement saying they were attacked, and they think it was China, and as a result they

They're not coming to destroy us. They are doing this to crack down on their own dissidents, because quite frankly, all this new-fangled communication media scares the shit out of them. After all, look at all the trouble it has caused in Iran! Imagine another tiananmen square protest, but this time using Twitter and GPS to avoid the soldiers... can you begin to see why China is desperate to do anything they can to keep these people from communicating with each other? Suddenly you have flash mobs that are mu